Thousands of Magento shopping carts vulnerable worldwide.

Magento hoster and security specialist Willem de Groot showed iTnews a list of 5900 sites around the world running unpatched, vulnerable versions of the web shopping cart, which have been hacked to serve up malicious Javascript code to unsuspecting customers.

Some 267 vulnerable Australian and New Zealand Magento stores were found by de Groot, who has set up the Magereport site, providing a free check to see if the latest patches are installed for the popular e-commerce platform.

The Australian sites range from online retail shops to art galleries and not-for-profit organisations. iTnews contacted a sample of operators, asking if they were aware of the issue and if they intended to address it.

Most of those contacted did not respond, but Bart Nanka, who manages an online Queensland organic herbs retailer, said the company's development team patched the site after being notified by iTnews of the issue.

Some Australian sites on de Groot's list are blocked by Google's Safe Browsing feature, used in Chrome and other browsers to warn users of malware.

Analysis by de Groot of the obfuscated malicious Javascript revealed that the code captures credit card details entered by customers and transmits them to a site hosted by a Russian provider.

The card skimming occurs without customer interaction or notification. De Groot said the skimming incidents have been taking place since November 2015, thanks to site operators being slow to patch their stores for Magento vulnerabilities.

One high-profile website that served up the card-skimming Javascript malware is run by the United States Senate Republicans for soliciting donations. The site was patched earlier this month, but de Groot estimated that the malicious Javascript had been injected into its Magento cart some six months ago.

A conservative calculation of visitors to the Republicans site placed the number of stolen cards at 21,000 since March this year. At US$30 per card, the criminals would have made US$600,000 or thereabouts from the Republicans site alone, de Groot said.

The number of e-commerce sites serving up the malicious Javascript to customers has risen sharply since November last year when the malware first appeared.

De Groot counted 3501 vulnerable sites in November 2015, but in September this year, the number was 5925, an increase of 69 percent.

All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.Your use of this website
constitutes acceptance of nextmedia's Privacy Policy and
Terms & Conditions.